diff --git a/configuration.nix b/configuration.nix
index b3a0346..d2bbb2c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -69,6 +69,8 @@
     ./services/ntfy
 
     ./services/mollysocket.nix
+
+    ./services/harmonia.nix
   ];
 
   # Hosts entries for CI/CD deploy targets
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index 63c612d..26d0ee4 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -167,5 +167,21 @@
       owner = "root";
       group = "root";
     };
+
+    # Harmonia binary cache signing key
+    harmonia-sign-key = {
+      file = ../secrets/harmonia-sign-key.age;
+      mode = "0400";
+      owner = "harmonia";
+      group = "harmonia";
+    };
+
+    # Caddy basic auth for nix binary cache (separate from main caddy_auth)
+    nix-cache-auth = {
+      file = ../secrets/nix-cache-auth.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
   };
 }
diff --git a/secrets/harmonia-sign-key.age b/secrets/harmonia-sign-key.age
new file mode 100644
index 0000000..07ea34b
Binary files /dev/null and b/secrets/harmonia-sign-key.age differ
diff --git a/secrets/nix-cache-auth.age b/secrets/nix-cache-auth.age
new file mode 100644
index 0000000..10b7a7a
Binary files /dev/null and b/secrets/nix-cache-auth.age differ
diff --git a/service-configs.nix b/service-configs.nix
index 1a98996..24d8429 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -189,6 +189,10 @@ rec {
         port = 9563;
         proto = "tcp";
       };
+      harmonia = {
+        port = 5500;
+        proto = "tcp";
+      };
     };
   };
 
diff --git a/services/harmonia.nix b/services/harmonia.nix
new file mode 100644
index 0000000..002735e
--- /dev/null
+++ b/services/harmonia.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceFilePerms "harmonia" [
+      "Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
+    ])
+  ];
+
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
+    settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
+  };
+
+  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.nix-cache-auth.path}
+    reverse_proxy :${toString service_configs.ports.private.harmonia.port}
+  '';
+}